NAT Traversal for VoIP

Similar documents
MySip.ch. SIP Network Address Translation (NAT) SIP Architecture with NAT Version 1.0 SIEMENS SCHWEIZ AKTIENGESELLSCHAFT

UDP NAT Traversal. CSCI-4220 Network Programming Spring 2015

Technical White Paper for NAT Traversal

Journal of Information, Control and Management Systems, Vol. X, (200X), No.X SIP OVER NAT. Pavel Segeč

Ingate Firewall & SIParator Product Training. SIP Trunking Focused

NAT (NAPT/PAT), STUN, and ICE

Abstract. Avaya Solution & Interoperability Test Lab

An Efficient NAT Traversal for SIP and Its Associated Media sessions

Research Article NAT Traversing Solutions for SIP Applications

Implementing SBC Firewall Traversal and NAT

SIP security and the great fun with Firewall / NAT Bernie Höneisen SURA / ViDe, , Atlanta, GA (USA)

On the Applicability of knowledge based NAT-Traversal for Home Networks

Effective Mechanisms for SIP/IMS Applications Traverse over NAT

Realtime Multimedia in Presence of Firewalls and Network Address Translation

Realtime Multimedia in Presence of Firewalls and Network Address Translation. Knut Omang Ifi/Oracle 9 Nov, 2015

Internet Technology 4/29/2013

On the Applicability of Knowledge Based NAT-Traversal for Home Networks

Network Address Translation (NAT) Contents. Firewalls. NATs and Firewalls. NATs. What is NAT. Port Ranges. NAT Example

Internet Networking recitation #

Network Address Translators (NATs) and NAT Traversal

CDCS: a New Case-Based Method for Transparent NAT Traversals of the SIP Protocol

Network Address Translation (NAT) Background Material for Overlay Networks Course. Jan, 2013

INTERFACE SPECIFICATION SIP Trunking. 8x8 SIP Trunking. Interface Specification. Version 2.0

Overview of the Session Initiation Protocol

P2PSIP, ICE, and RTCWeb

Application Notes for Configuring SIP Trunking between Bandwidth.com SIP Trunking Solution and an Avaya IP Office Telephony Solution Issue 1.

RP-FSO522 2-Line FXO, 2-Line FXS SIP IP Gateway. Feature

NAT Tutorial. Dan Wing, IETF77, Anaheim March 21, 2010 V2.1

Network Access Transla0on - NAT

Advanced Computer Networks

SS7 VoIP Gateway Solution

8-Port SIP VoIP Gateway (8 FXS)

VG422R. User s Manual. Rev , 5

[MS-TURNBWM]: Traversal using Relay NAT (TURN) Bandwidth Management Extensions

Network Address Translation

4 Port IP-PBX + SIP Gateway System

[MS-TURNBWM]: Traversal using Relay NAT (TURN) Bandwidth Management Extensions

Application Notes for Configuring SIP Trunking between Global Crossing SIP Trunking Service and an Avaya IP Office Telephony Solution Issue 1.

KTA1010 INSTALL GUIDE

Yealink VCS Network Deployment Solution

CS519: Computer Networks. Lecture 7: Apr 14, 2004 Firewalls and NATs

Grandstream Networks, Inc. UCM6XXX Configuration Guide for Remote Extensions

Avaya PBX SIP TRUNKING Setup & User Guide

Allstream NGNSIP Security Recommendations

become a SIP School Certified Associate endorsed by the Telecommunications Industry Association (TIA)

Installation & Configuration Guide Version 4.0

Configuring Hosted NAT Traversal for Session Border Controller

Desktop sharing with the Session Initiation Protocol

AP500 4-Port FXS VoIP Gateway

Spectrum Enterprise SIP Trunking Service NEC Univerge SV8100 IP PBX Configuration Guide

Installation & Configuration Guide Version 1.6

Troubleshooting One Way Voice Issues

When placing an order for BT SIP Trunks customers are requested to sign this document to acknowledge that;

Application Notes for Configuring Tidal Communications tnet Business VoIP with Avaya IP Office using SIP Registration - Issue 1.0

Voice over IP (VoIP)

Application Note 3Com VCX Connect with SIP Trunking - Configuration Guide

SBC Configuration Examples for Mediant SBC


200AE1 Network Services Gateway

Abstract. Avaya Solution & Interoperability Test Lab

Configure Basic Firewall Settings on the RV34x Series Router

X-Communicator: Implementing an advanced adaptive SIP-based User Agent for Multimedia Communication

Draft Version. Setup Reference guide for KX-HTS Series (Tested with HTS32 Version 1.5) VozTelecom SIP Trunk service with Built-in Router

Chapter 1 Getting Started

An IP Network: Application s View. SIP & NATs / Firewalls. An IP Network: Router s View. Reminder: Internet Architecture

Application Notes for Configuring SIP Trunking between McLeodUSA SIP Trunking Solution and an Avaya IP Office Telephony Solution Issue 1.

Application Note Asterisk BE with SIP Trunking - Configuration Guide

EarthLink Business SIP Trunking. Toshiba IPEdge 1.6 Customer Configuration Guide

Configuring Multi-Tenants on SIP Trunks

EdgeMarc 250W Network Services Gateway

NEC: SIP Trunking Configuration Guide V.1

Operafone IP Professional installation guide

Added Features. 1. PPTP (Point-to-Point Tunneling Protocol)

Draft Version. Setup Reference guide for KX-HTS Series (Tested with HTS32 Version 1.5) Peoplefone SIP Trunk service with External Router

Update from Taiwan SIP/ENUM Trial. By Dr. S.S. Tseng Ching Chiao (TWNIC) and Acer Hsu (CCL) th ETJP Meeting, Waseda University

Cisco IP Phone Configuration Guide

IT 341: Introduction to System

Expires: August 22, 2005 Microsoft R. Mahy Airspace February 21, 2005

Application Notes for Avaya IP Office Release 8.0 with AT&T Business in a Box (BIB) over IP Flexible Reach Service Issue 1.0

ICE: the ultimate way of beating NAT in SIP

Chapter 4: outline. 4.5 routing algorithms link state distance vector hierarchical routing. 4.6 routing in the Internet RIP OSPF BGP

The SIP School ~ Mitel Style [based on MCD4.0]

SDP-R25 User Manual 05/06/2015

NAT Router Performance Evaluation

How to Make the Client IP Address Available to the Back-end Server

VoIP Basics. 2005, NETSETRA Corporation Ltd. All rights reserved.

Lecture 10: TCP Friendliness, DCCP, NATs, and STUN

Application Note. Microsoft OCS 2007 Configuration Guide

Security Enhancement by Detecting Network Address Translation Based on Instant Messaging

Lecture 12: TCP Friendliness, DCCP, NATs, and STUN

CSE/EE 461: Introduction to Computer Communications Networks Autumn Module 9

Grandstream Networks, Inc. Peering HT8XX with GXW410X

Application Note Asterisk BE with Remote Phones - Configuration Guide

Spectrum Enterprise SIP Trunking Service NEC Univerge SV9100 IP PBX Configuration Guide

GoIP Series SIM Card for GSM Voice Gateway User Manual

Application Notes for Configuring Cablevision Optimum Voice SIP Trunking with Avaya IP Office - Issue 1.1

Abstract. Avaya Solution & Interoperability Test Lab

TSIN02 - Internetworking

Application Notes for Configuring SIP Trunking between TelePacific SmartVoice SIP Connect and an Avaya IP Office Telephony Solution 1.

Rab Nawaz Jadoon. Characterizing Network Traffic DCS. Assistant Professor. Department of Computer Science. COMSATS IIT, Abbottabad Pakistan

Transcription:

NAT Traversal for VoIP Dr. Quincy Wu National Chi Nan University Email: solomon@ipv6.club.tw.tw 1 TAC2000/2000

NAT Traversal Where is NAT What is NAT Types of NAT NAT Problems NAT Solutions Program Download 2 TAC2000/2000

NTP VoIP Platform LABORATORY 117 W LAN Gateway Call Server Media Gateway Station Interface NCTU PBX Trunk Interface Phone 03-5912312 W LAN User WLAN AP Station Interface 03-5712121 Campus Network Hsinchu Edge Route TANet SIP Phone 0944021026 SIP Phone SIP Phone 0944021021 0944021022 Phone 31842 Phone 31924 Phone 31340 Phone 31350 PSTN Edge Route Call Server Media Gateway Station Interface PU PBX 04-26328001 Trunk Interface Taichung Adm in C onsole Campus Network Station Interface Phone 04-22251133 SIP Phone 0944021401 SIP Phone 0944021402 Phone 13411 Phone 13404 Phone 13419 Phone 13429 3 TAC2000/2000

What is NAT NAT - Network Address Translation RFC 3022 - Traditional IP Network Address Translator (Traditional NAT) RFC 1918 - Address Allocation for Private Internets (BCP 5) RFC 2993 - Architectural Implications of NAT RFC 3027 - Protocol Complications with the IP Network Address Translator RFC 3235 - Network Address Translator (NAT)-Friendly Application Design Guidelines Convert Network Address (and Port) between private and public realm Works on IP layer Transparent for Application 4 TAC2000/2000

NAT Schematic Computer A IP: 10.0.0.1 Port: 80 NAT IP: 202.123.211.25 Port: 10080 Public Internet Computer B IP: 10.0.0.2 Port: 80 IP: 202.123.211.25 Port: 20080 Public NIC DHCP Client PPPoE Client DHCP Server Mapping Table 10.0.0.1:80 <-> 10080 10.0.0.2:80 <-> 20080 Private NIC 5 TAC2000/2000

Full Cone Restricted Cone Port Restricted Cone Symmetric Types of NAT 6 TAC2000/2000

Full Cone NAT Client send a packet to public address A. NAT allocate a public port (12345) for private port (21) on the client. Any incoming packet (from A or B) to public port (12345) will dispatch to private port (21) on the client. Client IP: 10.0.0.1 Port: 21 Mapping Table 10.0.0.1:21 <-> 12345 NAT IP: 202.123.211.25 Port: 12345 Computer A IP: 222.111.99.1 Port: 20202 Computer B IP: 222.111.88.2 Port: 10101 7 TAC2000/2000

Restricted Cone NAT (1/2) Client send a packet to public address A. NAT allocate a public port (12345) for private port (21) on the client. Only incoming packet from A to public port (12345) will dispatch to private port (21) on the client. Client IP: 10.0.0.1 Port: 21 NAT Mapping Table 10.0.0.1:21 <-> 12345 (for A) IP: 202.123.211.25 Port: 12345 Computer A IP: 222.111.99.1 Port: 20202 Computer B IP: 222.111.88.2 Port: 10101 8 TAC2000/2000

Restricted Cone NAT (2/2) Client send another packet to public address B. NAT will reuse allocated public port (12345) for private port (21) on the client. Incoming packet from B to public port (12345) will now dispatch to private port (21) on the client. Client IP: 10.0.0.1 Port: 21 NAT Mapping Table 10.0.0.1:21 <-> 12345 (for A) 10.0.0.1:21 <-> 12345 (for B) IP: 202.123.211.25 Port: 12345 Computer A IP: 222.111.99.1 Port: 20202 Computer B IP: 222.111.88.2 Port: 10101 9 TAC2000/2000

Port Restricted Cone NAT Client send a packet to public address A port 20202. NAT will allocate a public port (12345) for private port (21) on the client. Only incoming packet from address A and port 20202 to public port (12345) will dispatch to private port (21) on the client. Client IP: 10.0.0.1 Port: 21 NAT IP: 202.123.211.25 Port: 12345 Computer A IP: 222.111.99.1 Port: 20202 Port: 30303 Mapping Table 10.0.0.1:21 <-> 12345 (for A : 20202) 10.0.0.1:21 <-> 12345 (for A : 30303) 10 TAC2000/2000

Symmetric NAT NAT allocate a public port each time the client send a packet to different public address and port Only incoming packet from the original mapped public address and port will dispatch to private port on client Client IP: 10.0.0.1 Port: 21 NAT IP: 202.123.211.25 Port: 12345 IP: 202.123.211.25 Port: 45678 Computer A IP: 222.111.99.1 Port: 20202 Computer B IP: 222.111.88.2 Port: 10101 Mapping Table 10.0.0.1:21 <-> 12345 (for A : 20202) 10.0.0.1:21 <-> 45678 ( for B : 10101) 11 TAC2000/2000

VoIP Protocol and NAT NAT convert IP addresses on IP layer Problem 1: SIP, H.323, Megaco and MGCP are application layer protocol but contain IP address/port info in messages, which is not translated by NAT Problem 2: Private client must send a outgoing packet first (to create a mapping on NAT) to receive incoming packet 12 TAC2000/2000

Lab Environment UA1: UA behind NAT. UA2: SIP device outside NAT. Call Server: SIP-express router 0.8.12. NAT: Linux Fedora Core 2. Packet Capturer: Ethereal-0.9.15. Call Server NCNU-SIP.ipv6.club.tw 0944021404 UA1 NAT IPv6 only 0944021021 UA2 Ethereal 13 TAC2000/2000

The Problem (1/2) Due to private address, the Via header and Contact address in SIP messages sent by UA1 are incorrect. With incorrect Via header, responses of messages sent by UA1 cannot be routed back. With incorrect Contact address in REGISTER messages, call server cannot inform UA1 the incoming calls. UA1 can only act as a calling party. 14 TAC2000/2000

Incorrect REGISTER Message LABORATORY 117 15 TAC2000/2000

The Problem (2/2) When UA1 initiate a call, the connection information for media establishment in SDP are also incorrect. UA2 gets a private peer address, the RTP packets from UA2 cannot be routed to UA1. Media can only be sent from UA1 to UA2. 16 TAC2000/2000

Incorrect Fields in SDP of INVITE Message LABORATORY 117 17 TAC2000/2000

Solving NAT Traversal Problems Target: Discover mapped public IP & port for private IP & port Use mapped public IP & port in application layer message Keep this mapping valid Timing Issue NAT will automatically allocate a public port for a private address & port if need. NAT will release the mapping if the public port is idle No TCP connection on the port No UDP traffic on the port for a period (45 sec ~ 5 min) Keep a TCP connection to target Send UDP packet to target every specified interval 18 TAC2000/2000

NAT Solutions IPv6 (Internet Protocol Version 6) UPnP (Universal Plug-and and-play) UPnP Forum - http://www.upnp.upnp.org/.org/ VPN (Virtual Private Network) Proprietary protocol by NAT/Firewall SIP ALG (Application Level Gateway) No standard now. Not applicable for existing NATs. SIP extensions for NAT traversal RFC 3581 - rport Works for SIP only, can not help RTP to pass through NAT STUN (Simple Traversal of UDP Through Network Address Translators) s) RFC 3489 Works except symmetric NAT TURN (Traversal Using Relay NAT) draft-rosenberg rosenberg-midcom-turn-08 for symmetric NAT 19 TAC2000/2000

UPnP Universal Plug-and-Play 20 TAC2000/2000

LABORATORY 117 NAT Traversal with UPnP NAT NAT Device NAT Device NAT! IGD -- Internet Gateway Device UPnP Device (IGD) Public IP, 21 TAC2000/2000

NAT 22 TAC2000/2000

LABORATORY 117 UPnP IGD UPnP / public IP mapping port mapping port mapping 23 TAC2000/2000

LABORATORY 117 UPnP NAT UPnP Control Message IGD Port Mapping : : 192.168.0.14 port 10001 UDP IGD port mapping 24 TAC2000/2000

IGD Control Message POST /upnphost/udhisapi.dll?control?control=uuid:c3038e95-ea88-4d5c-98ff-3ad68f7aaa32+urn:upnp-org:serviceid:wanipconn1:wanipconn1 HTTP/1.1 Host: 192.168.0.1:2869 Content-Length: 734 Content-Type: text/xml; charset="utf "utf-8" SOAPAction: : "urn:schemas-upnp upnp-org:service:wanipconnection :WANIPConnection:1#AddPortMapping" <SOAP-ENV:Envelope xmlns:soap :SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/".org/soap/envelope/" SOAP-ENV ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">.org/soap/encoding/"> <SOAP-ENV:Body> <u:addportmapping xmlns:u="urn:schemas :u="urn:schemas-upnp-org:service:wanipconnection:1">:1"> <NewRemoteHost></ ></NewRemoteHost> <NewExternalPort>17769</ >17769</NewExternalPort> <NewProtocol>UDP</ >UDP</NewProtocol> <NewInternalPort>10001</ >10001</NewInternalPort> <NewInternalClient>192.168.0.146</ >192.168.0.146</NewInternalClient NewInternalClient> <NewEnabled>1</ >1</NewEnabled> <NewPortMappingDescription>s2EAYp (192.168.0.146:10001) 17769 UDP</NewPortMappingDescription /NewPortMappingDescription> <NewLeaseDuration>0</ >0</NewLeaseDuration> </u:addportmapping :AddPortMapping> </SOAP-ENV:Body> </SOAP-ENV:Envelope> 25 TAC2000/2000

LABORATORY 117 Current Defects of UPnP Aging port mapping UPnP Multi-level level NAT NAT IP 26 TAC2000/2000

Simple Traversal of UDP Through Network Address Translators (STUN) 27 TAC2000/2000

STUN (RFC 3489) A mechanism for a socket behind NAT(s) to get its mapped (IP,port) on Internet. Check whether UA is behind NAT. If not true, the STUN mechanism is not applied. When new socket is created, use this socket to request its mapped (IP,port) from STUN server. The response IP is stored in a string buffer. The response port is saved in a table, using source port as key. When UA wants to stuff local IP or port in a message, it will first look up mapped IP or port in the table. 28 TAC2000/2000

STUN Server Allow clients to discover if it is behind a NAT, what type of NAT T it is, and the public address & port NAT will use. Very Simple Protocol, Easy to implement, Little load Client want receive packet at port 5060 Send a query to STUN server from port 5060 STUN Server receive packet from 202.123.211.25 port 12345 Client IP: 10.0.0.1 Port: 5060 NAT IP: 202.123.211.25 Port: 12345 STUN Server IP: 222.111.99.1 Port: 20202 STUN Server send a response packet to client. Tell him his public address is 202.123.211.25 port 12345 29 TAC2000/2000

Use STUN for SIP Registration Use port 5060 to send a packet to STUN Server Receive public address & port mapped to client:5060 from STUN Server Fill the SIP register message with client s s public address & port, send to proxy server Client IP: 10.0.0.1 Port: 5060 NAT IP: 202.123.211.25 Port: 12345 STUN Server IP: 222.111.99.1 Port: 20202 REGISTER sip:222.111.33.1 SIP/2.0 Via: SIP/2.0/UDP 202.123.211.25:12345 From: Wang <sip:wang@140.128.10.129:5060> To: Wang <sip:wang@140.128.10.129:5060> Contact: Wang <sip:wang@202.123.211.25:12345> Proxy Server IP: 140.128.10.129 Port: 5060 30 TAC2000/2000

Corrected SIP Message LABORATORY 117 31 TAC2000/2000

LABORATORY 117 Use STUN for RTP Send two STUN queries from RTP port (9000 & 9002) to STUN Server Use replied public address & port in SDP Client IP: 10.0.0.1 RTP Port: 9000 RTP Port: 9002 NAT IP: 140.113.131.72 Port: 56539 Port: 56541 STUN Server IP: 222.111.99.1 Port: 3478 INVITE Content-Type: application/sdp Proxy Server IP: 222.111.33.1 Port: 5060 UA RTP Port: 9000 RTP Port: 9002 32 TAC2000/2000

Corrected SDP LABORATORY 117 33 TAC2000/2000

Download UACom.dll with STUN support Close your running SIP UA. Remove the UACom.dll file in your C:\WinApp WinApp\NBENUA directory. Download the new UACom.dll from http://voip /voip.ipv6.club.tw/download/ and save it at C:\WinApp WinApp\NBENUA. Start SIP UA again. The registration and call setup will be successful. cessful. Our implementation supports incoming calls. STUN Client A diagnosis tool which utilizes STUN mechanism to find out the type t of NAT. Usage: stun-client STUN.ipv6.club.tw.tw stun-client t t STUN.ipv6.club.tw.tw stun-client p p 5060 STUN.ipv6.club.tw.tw Note: Be sure to close any running SIP UA before you run the STUN N client. 34 TAC2000/2000

Running STUN Client on a PC in Private LAN 35 TAC2000/2000

stun-client STUN.ipv6.club.tw 36 TAC2000/2000

stun-client t STUN.ipv6.club.tw 37 TAC2000/2000

Testing STUN & SIP UA Applying STUN mechanism in VoIP has been proved to be successful. More field trials must be conducted to make sure that it interoperates with most NAT devices. 38 TAC2000/2000

Clients Behind Symmetric NAT Provide a Call Server with RTP relay for non-upgradeable IP phone or Softphone The loading for this server would be terribly heavy Private Address Domain Symmetric NAT Public Address Domain Call Server with RTP Relay IP Phone B NAT port 12345 RTP IP Phone A Mapping Table 192.168.10.1:5060 <-> 10120 (for Call Server : 5060) 192.168.10.1:9000 <-> 12345 (for Call Server : 9000) 39 TAC2000/2000

Summary STUN is a good solution for non-symmetric NAT Suitable for small-scale scale solution Client-side Enterprise-serverserver Compatible with most NATs STUN server is easy to implement and low-cost Call Server w/ RTP Relay may be needed, if the users cannot make sure whether they are behind a symmetric NAT Capacity is limited Centralized server is expensive That s s why Skype distributed the loading to individual users UPnP is a promising solution, but its nature is competing with IPv6. Peer-to to-peer vs. Gateway/Device model 40 TAC2000/2000

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback